View Full Version : SMTP Security -- why isn't Authentication needed?

01-27-2004, 02:49 PM
I notice that I do not need to config my mail client to use a username and password to connect to my domain's SMTP server to send mail. (I have not changed the default setup except adding accounts and aliases through SiteManager)

How does the SMTP server prevent others from sending mail as if it came from one of my users?

Couldn't anyone who knows a valid username on my domain, setup a mail client to use my domain's SMTP server to send mail on that person's behalf? They could not retrieve that person's mail without their password, but they could send out spam that looks like it came from them.

I notice the /etc/mail/relay-domains file. It has a lot of entries of IP addresses (most of them the same address over and over. I think its my public IP from my ISP. I wonder if every time there is a successfull pop3 login it puts the remote IP in this file indicating that its OK to relay from this host.

I don't have access to another IP address to test this out. I tried setting up a fresh host to send mail on behalf of a fictious user on my domain without trying to retrieve mail. It worked, but this machine shares my ISP and therefore has the same public IP as my machine so its not a perfect test.

I am wondering whether I should figure out how to enable authentication for the SMTP server.



01-27-2004, 04:38 PM
It sounds like you have a "POP before SMTP" authentication set up. The old Westhost sites would only work like that. You need to poll your mail using POP (authenticated) and then the same IP would be accepted for (ISTR) about 30 mins.
I'm not sure how you convert it to being an authenticated SMTP. When I create an account in the Reseller Manager, I have the option to create it with or without "POP before SMTP" but I don't know how to change it later.

If you find out, let us all know...

01-27-2004, 08:16 PM
Yes that sounds like it. It seems to work well. I just wanted to make sure that the SMTP server was not open. Is authneticated SMTP the prefered method now, or is POP before SMTP still used in new 'installations'?

01-28-2004, 02:02 AM
Dunno. I prefer authenticated... I'm not sure what new installations have.